From: Johannes Berg johannes.berg@intel.com
[ Upstream commit e7417421d89358da071fd2930f91e67c7128fbff ]
If the firmware gives bad input, that's nothing to do with the driver's stack at this point etc., so the WARN_ON() doesn't add any value. Additionally, this is one of the top syzbot reports now. Just print a message, and as an added bonus, print the sizes too.
Reported-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com Tested-by: syzbot+92c6dd14aaa230be6855@syzkaller.appspotmail.com Acked-by: Jeff Johnson jeff.johnson@oss.qualcomm.com Link: https://patch.msgid.link/20250617114529.031a677a348e.I58bf1eb4ac16a82c546725... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org ---
**YES**
This commit should be backported to stable kernel trees for the following reasons:
## Security and Stability Impact
1. **Syzbot Report**: The commit explicitly mentions this is "one of the top syzbot reports now", indicating it's a frequently triggered issue that impacts kernel stability testing. Syzbot is Google's continuous fuzzing infrastructure that finds kernel bugs, and high-frequency reports indicate significant impact.
2. **WARN_ON Misuse**: The removed WARN_ON is checking for bad firmware input, which violates kernel best practices. WARN_ON should only be used for "impossible" conditions that indicate kernel bugs, not for validating external input. As the commit message states: "If the firmware gives bad input, that's nothing to do with the driver's stack at this point."
3. **DoS Potential**: A WARN_ON can be triggered by malicious or corrupted firmware, potentially causing: - Stack traces in kernel logs (log spam) - Performance degradation - In some configurations, system panic (if panic_on_warn is set)
## Code Analysis
The change is minimal and safe: ```c - WARN_ON(1); + ath6kl_err("mismatched byte count %d vs. expected %zd\n", + le32_to_cpu(targ_info->byte_count), + sizeof(*targ_info)); ```
The fix: - Removes the inappropriate WARN_ON - Adds informative error logging with actual vs expected sizes - Maintains the same error handling path (return -EINVAL) - No functional changes beyond logging
## Similar Precedent
Looking at similar commits: - Commit #5 (ath6kl: reduce WARN to dev_dbg() in callback) - **Backported: YES** - Similar removal of WARN for known race condition - Commit #3 (ath10k: Change the warning message string) - **Backported: YES** - Modified warning to avoid syzbot confusion
## Stable Kernel Criteria
This meets stable kernel criteria: - **Fixes a real bug**: Addresses inappropriate WARN_ON usage that can be triggered by external input - **Minimal change**: Only removes WARN_ON and adds error message - **Low risk**: No functional changes, just logging improvement - **Tested**: Explicitly tested by syzbot - **Clear benefit**: Reduces false positive warnings and improves debugging
The commit is a straightforward fix that improves kernel robustness without introducing new risks, making it an ideal candidate for stable backporting.
drivers/net/wireless/ath/ath6kl/bmi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath6kl/bmi.c b/drivers/net/wireless/ath/ath6kl/bmi.c index af98e871199d3..5a9e93fd1ef42 100644 --- a/drivers/net/wireless/ath/ath6kl/bmi.c +++ b/drivers/net/wireless/ath/ath6kl/bmi.c @@ -87,7 +87,9 @@ int ath6kl_bmi_get_target_info(struct ath6kl *ar, * We need to do some backwards compatibility to make this work. */ if (le32_to_cpu(targ_info->byte_count) != sizeof(*targ_info)) { - WARN_ON(1); + ath6kl_err("mismatched byte count %d vs. expected %zd\n", + le32_to_cpu(targ_info->byte_count), + sizeof(*targ_info)); return -EINVAL; }